Great article, Martin Smolár. Thanks.

how can a common user (non-IT) mitigate this?

We could not find matches of exploit file hashes that available on Github Baton Drop with your provided exploitation payload SHA1 hashes.
Looking to write YARA rule to detect POC exploit.
Can you help on this?

Regards,
Rahul Upadhyay

i did reinstall Windows 11 home edition two times, the malware always come back on my Laptop HP Pavilion, desactivating automatiquelly Windows defender virtulisation and navigator and application control, did we have any way to eliminate it ?

Very good article. Well detailed.
I was wondering if this kind of malware could also attack Linux systems. They too use an EFI partition with GRUB. That makes them potential targets.

You would probably need to be online for any initial infection like msot malware unless insert say an infected USB stick into your machine. Offline here refers to the malware installer itself and in this case that the Windows binaries needed to bypass secure boot are already included.

I am not aware of BlackLotus targeting any other OS so Windows only.

Martin, any chance you would be able to upload the samples to malwarebazaar or any other public malware repository? This way the community will be able to do their own analysis as well.